FIDO Specs: Moving Beyond Passwords

Security experts see the FIDO Alliance's Dec. 9 release of two universal authentication specifications as a positive move in the effort to end reliance on passwords. But the standards' impact will be minimal unless they're widely adopted, which could prove to be an uphill climb.

The selling point for the universal authentication specifications - the Universal Authentication Framework, known as UAF, and the Universal Second Factor, known as U2F - is that they are open-source standards. And industry experts are touting the alliance's efforts to standardize advanced authentication tools, such as biometrics and hardware tokens.

"Passwords are one of the weakest links in security today, with more than 76 percent of all breaches involving weak or stolen credentials," says Patrick Peterson, CEO and founder of e-mail security firm Agari. "The industry has been in ... agreement that something needs to be done, but the ecosystem complexity has proven insurmountable until now. These specs will provide the underlying technology standard that will enable the end of the ineffective password and create a more secure, resilient Internet."

But for now, it's more prudent to let some of the bigger online players test the FIDO waters first, contends Scott Waddell, CTO at online security firm iovation.

"We believe UAF should be recommended, but not mandatory, until we see wider deployment of the framework," Waddell says. "Some major companies are backing the standard, but its success depends on device manufacturer and SaaS [software-as-a-service] provider adoption."

Waddell acknowledges, however, that if FIDO's framework can live up to its promise, it could have far-reaching results, especially from a payments perspective.

The framework could enhance PCI data security standards for data portability and authentication, he says. "The UAF is particularly useful for the increasing cloud-based and federated, single sign-on solutions. The framework has standardized how authentication can securely store and transfer data during the authentication process."

FIDO: Interoperable Authentication

The mission of the FIDO [Fast Identity Online] alliance is reduce, and eventually eliminate, the use of passwords for authentication.

The global not-for-profit alliance's first two universal specifications can be used with devices, servers, Web browsers and cloud applications. The alliance soon expects to publish extensions that will incorporate near-field communications and Bluetooth into FIDO's range of capabilities as well.

The alliance believes that for advanced authentication to become ubiquitous, mobile devices and PCs used for e-commerce and electronic banking need to be equipped with standards-based authentication mechanisms. Under FIDO's model, these devices will register users and then authenticate those users with private keys, so that no sensitive data is directly provided by the user.

Google, Others Roll Out FIDO

FIDO's work has garnered attention among big online players.

In October, Google announced its roll out of U2F as a second-factor layer of authentication for Chrome users.

Other implementations of FIDO's authentication also are available from NoK Nok Labs, Synaptics, Alibaba, PayPal, Samsung, Google, Yubico and Plug-Up.

These types of authentication methods are a necessity, says Paul Simmonds, CEO of the Global Identity Foundation, a coalition of security vendors, technology experts and others that's attempting to establish an international and open-source identity verification system.

"It's really good to see the FIDO specification reach version 1.0, as stronger authentication of the individual is a key component in providing higher levels of trust in the overall identity ecosystem," Simmonds says.

About the Author

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.